Government applications still riddled with serious security flaws

But fixes them quickly once discovered, Veracode analysis finds

The US government sector is markedly worse than private industry at eliminating a range of common but serious flaws from software code, an analysis of real applications submitted for review to testing company Veracode has found.

The company found that 75 percent of government applications (including federal, state and local government) suffered from potentially-serious cross-site scripting (XSS) flaws, considerably above the 67 percent for finance and 55 percent for the software industry itself.

Another significant issue, SQL injection, was also high at 40 percent of tested applications, again above the 30 percent for finance and 29 percent for software. Only on information leakage from applications was government roughly as poor at finance and software industries, with a prevalent of 66 percent.

SQL injection and XSS flaws matter in the real world. The report quotes the Web hacking database, which cites SQL injection as being connected to 20 percent of all hacking incidents, including high-profile breaches such as that suffered by Sony earlier this year. XSS, meanwhile, is a top-three in terms of its seriousness in real attacks.

Government application code was found to comprise a mixture of .NET, Java, and ColdFusion in that order of precedence, with the latter reflecting the heavy bias in the sector to web applications.

ColdFusion was a particular source for XSS issues, caused, the researchers say, by the lower experience levels of programmers using the language.

“Essentially the percentage of affected web Government applications has not changed over the past two years for cross-site scripting, SQL Injection, and information leakage vulnerabilities,” the report notes.

“This [the incidence] is discouraging because of all the attention that has been devoted to these three high visibility and wide-spread vulnerabilities,”say Veracode’s researchers.

When it comes to remediation (the time it takes to fix issues once discovered), government does better, with 80 percent of flaws achieve a reasonable state with a week compared to 71 percent for finance and 76 percent for software.